Skip to content

Commit

Permalink
RANGER-3725 : Update atlas default audit filter to filter Atlas entit…
Browse files Browse the repository at this point in the history 
…y-read events by Nifi user.

Signed-off-by: pradeep <pradeep@apache.org>
  • Loading branch information
@mateenmansoori @pradeepagrawal8184
mateenmansoori authored and pradeepagrawal8184 committed Apr 29, 2022
1 parent e6dc5b5 commit f7bdb44
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 2 deletions.
2 changes: 1 addition & 1 deletion agents-common/src/main/resources/service-defs/ranger-servicedef-atlas.json
View file
Expand Up @@ -477,7 +477,7 @@
"validationMessage": "",
"uiHint":"",
"label": "Ranger Default Audit Filters",
"defaultValue": "[ {'accessResult': 'DENIED', 'isAudited': true}, {'users':['atlas'] ,'isAudited':false} ]"
"defaultValue": "[ {'accessResult': 'DENIED', 'isAudited': true}, {'users':['atlas'] ,'isAudited':false}, {'accessResult':'ALLOWED', 'isAudited':false, 'actions':['entity-read'], 'accessTypes':['entity-read'], 'users':['nifi']} ]"
}
],
"options": {
Expand Down
46 changes: 45 additions & 1 deletion ...min/src/main/java/org/apache/ranger/patch/PatchForSolrSvcDefAndPoliciesUpdate_J10055.java
View file
Expand Up @@ -27,6 +27,7 @@
import java.util.Set;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.apache.ranger.biz.SecurityZoneDBStore;
import org.apache.ranger.biz.ServiceDBStore;
Expand All @@ -45,6 +46,7 @@
import org.apache.ranger.plugin.model.RangerSecurityZone;
import org.apache.ranger.plugin.model.RangerSecurityZone.RangerSecurityZoneService;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerServiceConfigDef;
import org.apache.ranger.plugin.model.validation.RangerServiceDefValidator;
import org.apache.ranger.plugin.model.validation.RangerValidator.Action;
import org.apache.ranger.plugin.store.EmbeddedServiceDefsUtil;
Expand Down Expand Up @@ -135,7 +137,16 @@ public void execLoad() {
logger.error("Error whille executing PatchForSolrSvcDefAndPoliciesUpdate_J10055.", e);
System.exit(1);
}
logger.info("<== PatchForSolrSvcDefAndPoliciesUpdate_J10055.execLoad()");

try {
// For RANGER-3725 - Update atlas default audit filter
updateDefaultAuditFilter(EmbeddedServiceDefsUtil.EMBEDDED_SERVICEDEF_ATLAS_NAME);
} catch (Throwable t) {
logger.error("Failed to update atlas default audit filter, Error - ", t);
System.exit(1);
}

logger.info("<== PatchForSolrSvcDefAndPoliciesUpdate_J10055.execLoad()");
}

private void updateExistingRangerResPolicy(Long svcDefId) throws Exception {
Expand Down Expand Up @@ -468,4 +479,37 @@ private void deleteOldAccessTypeRefs(Long svcDefId) {
}
logger.info("<== PatchForSolrSvcDefAndPoliciesUpdate_J10055.deleteOldAccessTypeRefs(" + svcDefId + ")");
}

private void updateDefaultAuditFilter(final String svcDefName) throws Exception {
logger.info("==> PatchForSolrSvcDefAndPoliciesUpdate_J10055.updateAtlasDefaultAuditFilter()");
final RangerServiceDef embeddedAtlasServiceDef = EmbeddedServiceDefsUtil.instance()
.getEmbeddedServiceDef(svcDefName);
final List<RangerServiceConfigDef> embdSvcConfDefList = embeddedAtlasServiceDef != null ? embeddedAtlasServiceDef.getConfigs() : new ArrayList<RangerServiceConfigDef>();
String embdAuditFilterStr = StringUtils.EMPTY;

if (CollectionUtils.isNotEmpty(embdSvcConfDefList)) {
for (RangerServiceConfigDef embdSvcConfDef : embdSvcConfDefList) {
if (StringUtils.equals(embdSvcConfDef.getName(), ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS)) {
embdAuditFilterStr = embdSvcConfDef.getDefaultValue(); // new audit filter str
break;
}
}
}

if (StringUtils.isNotEmpty(embdAuditFilterStr)) {
final RangerServiceDef serviceDbDef = this.svcDBStore.getServiceDefByName(svcDefName);
for (RangerServiceConfigDef dbSvcDefConfig : serviceDbDef.getConfigs()) {
if (dbSvcDefConfig != null && StringUtils.equals(dbSvcDefConfig.getName(), ServiceDBStore.RANGER_PLUGIN_AUDIT_FILTERS)) {
final String dbAuditFilterStr = dbSvcDefConfig.getDefaultValue();
if (!StringUtils.equalsIgnoreCase(dbAuditFilterStr, embdAuditFilterStr)) {
dbSvcDefConfig.setDefaultValue(embdAuditFilterStr);
this.svcDBStore.updateServiceDef(serviceDbDef);
logger.info("Updated " + serviceDbDef.getName() + " service default audit filter.");
}
break;
}
}
}
logger.info("<== PatchForSolrSvcDefAndPoliciesUpdate_J10055.updateAtlasDefaultAuditFilter()");
}
}

0 comments on commit f7bdb44

Please sign in to comment.